('binary' encoding is not supported, stored as-is) Hi, I know this has been discussed here before and I've read the previous threads in the archive. In my case there is, however, something new - or at least something that was not discussed previously - that I do not understand and I would appreciate your advice. I have a DSL connection with a dynamic IP assigned by DHCP. I also have three computers on my network. One OpenBSD, one Linux and one Windows XP. For the moment they are all connected directly to a switch which in turn is connected to an adsl bridge/router (Zyxel 645R). Connecting the Linux and OpenBSD computers to the net was uneventful. However, after a fresh Windows XP Pro was installed on the third computer, I began to notice an increasing amount of traffic hitting its port 1214 - I know this to be the port for Kazaa and Morpheus. I run neither. The scans come from all over the world and from different ports but they invariably target the port 1214. The traffic looks like this (ZoneAlarm format, xxx = I obfuscated the last two numbers of my IP): FWIN,2003/07/27,15:50:08 +3:00 GMT,66.130.133.21:4312,195.197.xxx.xxx:1214,TCP (flags:S) FWIN,2003/07/27,15:50:08 +3:00 GMT,24.51.192.6:3842,195.197.xxx.xxx:1214,TCP (flags:S) Now, the interesting bit is this. If I switch off the Windows XP computer, the traffic will die down entirely in a few hours. If I switch the XP computer on again, the hits to port 1214 will reappear in no time. Linux and OpenBSD computers never seem to trigger this "flood" of packets. So my question is: how do these sites that send packets to my port 1214 "know" that the WinXP computer is up. Remember, it was a fresh install. Why do they seem to ignore the Linux and OpenBSD boxes that are on the same network? It does not seem to be the IP number. The XP has been assigned several different IP numbers by the ISP's DHCP so far. Could my computer signal some out there that it is alive? Well, when I start the XP computer, tcpdump on Linux shows outgoing DHCP and netbios requests which do sometimes appear to go to somewhat strange addresses like DNS servers in another country. But why would a fresh XP install do this? Although my bandwidth seems to be mostly unaffected, I find these hits very disturbing and they clog up my logs. Any advice is appreciated. Regards, Mika --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Jul 27 2003 - 11:28:34 PDT